SonicWall has confirmed that attackers gained unauthorized access to cloud-stored firewall configuration backups associated with the MySonicWall portal, affecting all customers who used the cloud backup feature. The company conducted the investigation with Mandiant’s incident response team. While SonicWall states that configuration and credential data within backups are protected with AES‑256 encryption, the exposure of configuration content and metadata still presents material operational risk.
Scope and timeline of the SonicWall cloud backup incident
In mid-September 2025, SonicWall warned of suspicious activity targeting MySonicWall accounts and advised immediate credential changes. At that time, the company noted that roughly 5% of its customer base used the cloud backup service and that “some accounts” appeared affected. In its updated advisory, SonicWall now clarifies that attackers accessed backup configurations (.EXP files) for every customer who leveraged the cloud backup capability. SonicWall reports it has cut off adversary access and is actively cooperating with law enforcement and relevant authorities.
What was exposed and why firewall configuration data is sensitive
Firewall configuration backups encapsulate the organization’s network policy and topology: address objects and security zones, access rules, NAT, routing, VPN parameters, admin accounts, and integrations. Although SonicWall asserts the backups’ sensitive data is encrypted with AES‑256, configuration structure and metadata—such as IP ranges, external services, and management surfaces—can still significantly inform targeting. Knowing how a network is segmented and which services are exposed materially lowers an attacker’s effort to plan and execute intrusions.
Threat scenarios and organizational risk
With configuration intelligence, an adversary can map the environment, prioritize management interfaces for exploitation, tailor payloads to specific device models and firmware, and target site‑to‑site and remote‑access VPNs. Detailed technical context also enhances social engineering and phishing realism. Industry reporting, including the Verizon Data Breach Investigations Report (DBIR), consistently shows that stolen credentials and misconfigurations remain among the most common initial access vectors. Combining credential attacks with configuration awareness increases the likelihood of successful compromise.
How to verify exposure and what to do now
Check your MySonicWall portal for required actions
Log in to MySonicWall and navigate to Product Management → Issue List. If your account shows remediation items, follow SonicWall’s Essential Credential Reset guidance—beginning with internet-facing firewalls and devices that terminate remote access.
Immediate remediation: rotate secrets and harden access
Prioritize the following steps across affected environments:
- Admin access: Reset all administrative passwords, disable unused or suspicious accounts, and enforce MFA everywhere possible.
- VPN and certificates: Regenerate site‑to‑site and remote‑access VPN PSKs, reissue certificates and private keys, and refresh trust anchors if required.
- Integrations: Rotate secrets for RADIUS/TACACS+/LDAP, API keys, and SNMP communities/USM.
- Management plane exposure: Restrict management interfaces by source IP/network, require a jump host or VPN, and block access from untrusted segments.
- Patching and monitoring: Apply current firmware, review logs for unusual logins and policy changes, and enable alerting for configuration and auth anomalies.
Medium-term resilience: backup governance and key management
Strengthen your configuration backup strategy to reduce future blast radius:
- Segregate backup storage, enforce least-privilege access, and separate encryption key management from storage.
- Store backups in encrypted form outside broadly shared cloud environments when feasible, with independent key control.
- Test incident response procedures, including rapid secret rotation and device reprovisioning.
- Automate exposure inventories for public services and management endpoints, and regularly validate that intended controls match actual configurations.
The incident underscores how configuration data, even when encrypted, can expand an organization’s attack surface by revealing operational details. Teams should act with urgency: complete SonicWall’s recommended resets, rotate all critical secrets, enable enhanced monitoring, and reassess backup and key management practices. Rapid, disciplined remediation reduces the window of opportunity for adversaries and limits the downstream impact of this exposure.
